Malware Analysis Report

2025-01-22 09:09

Sample ID 240521-14sxlaca41
Target Solara.zip
SHA256 c7343df34a196ab643130de666b93ced7114b958d38381619aa63c3b427d920d
Tags
redline discovery execution infostealer spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c7343df34a196ab643130de666b93ced7114b958d38381619aa63c3b427d920d

Threat Level: Known bad

The file Solara.zip was found to be: Known bad.

Malicious Activity Summary

redline discovery execution infostealer spyware stealer

RedLine

RedLine payload

Blocklisted process makes network request

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of SetThreadContext

Drops file in Windows directory

Command and Scripting Interpreter: PowerShell

Unsigned PE

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: CmdExeWriteProcessMemorySpam

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Suspicious behavior: LoadsDriver

Creates scheduled task(s)

Suspicious use of SendNotifyMessage

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-21 22:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-21 22:12

Reported

2024-05-21 22:16

Platform

win10v2004-20240426-en

Max time kernel

129s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\luajit.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\luajit.exe

"C:\Users\Admin\AppData\Local\Temp\luajit.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 130.211.222.173.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-21 22:12

Reported

2024-05-21 22:14

Platform

win7-20240221-en

Max time kernel

57s

Max time network

58s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Launcher.bat"

Signatures

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\luajit.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1984 wrote to memory of 2384 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cacls.exe
PID 1984 wrote to memory of 2384 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cacls.exe
PID 1984 wrote to memory of 2384 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cacls.exe
PID 1984 wrote to memory of 2728 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\luajit.exe
PID 1984 wrote to memory of 2728 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\luajit.exe
PID 1984 wrote to memory of 2728 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\luajit.exe
PID 1984 wrote to memory of 2728 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\luajit.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Launcher.bat"

C:\Windows\system32\cacls.exe

"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"

C:\Users\Admin\AppData\Local\Temp\luajit.exe

luajit.exe log

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 www.microsoft.com udp
BE 23.55.97.181:443 www.microsoft.com tcp
BE 23.55.97.181:443 www.microsoft.com tcp
BE 23.55.97.181:443 www.microsoft.com tcp
BE 23.55.97.181:443 www.microsoft.com tcp
BE 23.55.97.181:443 www.microsoft.com tcp
BE 23.55.97.181:443 www.microsoft.com tcp
BE 23.55.97.181:443 www.microsoft.com tcp
BE 23.55.97.181:443 www.microsoft.com tcp
BE 23.55.97.181:443 www.microsoft.com tcp
BE 23.55.97.181:443 www.microsoft.com tcp
BE 23.55.97.181:443 www.microsoft.com tcp

Files

memory/2728-4-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

memory/2728-3-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

memory/2728-2-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

memory/2728-1-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

memory/2728-0-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

memory/2728-6-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

memory/2728-12-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

memory/2728-11-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

memory/2728-10-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

memory/2728-9-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

memory/2728-8-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

memory/2728-7-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

memory/2728-5-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

memory/2728-43-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

memory/2728-59-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

memory/2728-41-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

memory/2728-55-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

memory/2728-57-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

memory/2728-88-0x0000000000210000-0x0000000000211000-memory.dmp

memory/2728-87-0x0000000000210000-0x0000000000211000-memory.dmp

memory/2728-86-0x0000000000210000-0x0000000000211000-memory.dmp

memory/2728-85-0x0000000000210000-0x0000000000211000-memory.dmp

memory/2728-84-0x0000000000210000-0x0000000000211000-memory.dmp

memory/2728-83-0x0000000000210000-0x0000000000211000-memory.dmp

memory/2728-56-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

memory/2728-54-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

memory/2728-53-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

memory/2728-52-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

memory/2728-51-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

memory/2728-50-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

memory/2728-49-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

memory/2728-48-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

memory/2728-40-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

memory/2728-39-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

memory/2728-38-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

memory/2728-37-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

memory/2728-36-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

memory/2728-35-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

memory/2728-34-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

memory/2728-33-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

memory/2728-32-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

memory/2728-31-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

memory/2728-30-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

memory/2728-29-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

memory/2728-28-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

memory/2728-27-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

memory/2728-26-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

memory/2728-25-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

memory/2728-24-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

memory/2728-23-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

memory/2728-22-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

memory/2728-21-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

memory/2728-20-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

memory/2728-19-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

memory/2728-18-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

memory/2728-17-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

memory/2728-16-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

memory/2728-15-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

memory/2728-14-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

memory/2728-13-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

memory/2728-63-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

memory/2728-62-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

memory/2728-61-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

memory/2728-60-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

memory/2728-58-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

memory/2728-47-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

memory/2728-46-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

memory/2728-45-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

memory/2728-44-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

memory/2728-42-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab21A8.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar2218.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

memory/2728-381-0x0000000000210000-0x0000000000211000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-21 22:12

Reported

2024-05-21 22:16

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Launcher.bat"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Roblox\Studio\Roblox.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1856 set thread context of 4560 N/A C:\Users\Admin\AppData\Roaming\Roblox\Studio\Roblox.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Setup\Scripts\ErrorHandler.cmd C:\Users\Admin\AppData\Local\Temp\luajit.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133608033060489741" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1680 wrote to memory of 3336 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cacls.exe
PID 1680 wrote to memory of 3336 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cacls.exe
PID 1680 wrote to memory of 1248 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\luajit.exe
PID 1680 wrote to memory of 1248 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\luajit.exe
PID 1680 wrote to memory of 1248 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\luajit.exe
PID 1248 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\luajit.exe C:\Windows\SysWOW64\schtasks.exe
PID 1248 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\luajit.exe C:\Windows\SysWOW64\schtasks.exe
PID 1248 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\luajit.exe C:\Windows\SysWOW64\schtasks.exe
PID 1248 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\luajit.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1248 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\luajit.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1248 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\luajit.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1248 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\luajit.exe C:\Windows\SysWOW64\rundll32.exe
PID 1248 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\luajit.exe C:\Windows\SysWOW64\rundll32.exe
PID 1248 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\luajit.exe C:\Windows\SysWOW64\rundll32.exe
PID 868 wrote to memory of 1832 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 868 wrote to memory of 1832 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 3472 wrote to memory of 1680 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3472 wrote to memory of 1680 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3472 wrote to memory of 4168 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3472 wrote to memory of 4168 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3472 wrote to memory of 4168 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3472 wrote to memory of 4168 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3472 wrote to memory of 4168 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3472 wrote to memory of 4168 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3472 wrote to memory of 4168 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3472 wrote to memory of 4168 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3472 wrote to memory of 4168 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3472 wrote to memory of 4168 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3472 wrote to memory of 4168 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3472 wrote to memory of 4168 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3472 wrote to memory of 4168 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3472 wrote to memory of 4168 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3472 wrote to memory of 4168 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3472 wrote to memory of 4168 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3472 wrote to memory of 4168 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3472 wrote to memory of 4168 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3472 wrote to memory of 4168 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3472 wrote to memory of 4168 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3472 wrote to memory of 4168 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3472 wrote to memory of 4168 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3472 wrote to memory of 4168 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3472 wrote to memory of 4168 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3472 wrote to memory of 4168 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3472 wrote to memory of 4168 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3472 wrote to memory of 4168 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3472 wrote to memory of 4168 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3472 wrote to memory of 4168 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3472 wrote to memory of 4168 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3472 wrote to memory of 4168 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3472 wrote to memory of 1884 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3472 wrote to memory of 1884 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3472 wrote to memory of 4952 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3472 wrote to memory of 4952 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3472 wrote to memory of 4952 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3472 wrote to memory of 4952 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3472 wrote to memory of 4952 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3472 wrote to memory of 4952 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3472 wrote to memory of 4952 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3472 wrote to memory of 4952 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3472 wrote to memory of 4952 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3472 wrote to memory of 4952 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3472 wrote to memory of 4952 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3472 wrote to memory of 4952 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3472 wrote to memory of 4952 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Launcher.bat"

C:\Windows\system32\cacls.exe

"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"

C:\Users\Admin\AppData\Local\Temp\luajit.exe

luajit.exe log

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc daily /st 11:24 /f /tn WindowsSetup /tr "C:/Windows/System32/oobe/Setup.exe" /rl highest

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Register-ScheduledTask -TaskName 'Um9ibG94Nzk4' -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Roblox\Studio\Roblox.exe') -Trigger (New-ScheduledTaskTrigger -At (Get-Date).AddMinutes(1) -Once) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -StartWhenAvailable) -Force"

C:\Windows\SysWOW64\rundll32.exe

rundll32 "C:\Users\Admin\AppData\Roaming\Lua\bin\lua.dll", init

C:\Windows\system32\rundll32.exe

rundll32 "C:\Users\Admin\AppData\Roaming\Lua\bin\lua.dll", init

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc6ab4ab58,0x7ffc6ab4ab68,0x7ffc6ab4ab78

C:\Users\Admin\AppData\Roaming\Roblox\Studio\Roblox.exe

C:\Users\Admin\AppData\Roaming\Roblox\Studio\Roblox.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1752 --field-trial-handle=1968,i,8663806780033039368,1445414516934675112,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 --field-trial-handle=1968,i,8663806780033039368,1445414516934675112,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2276 --field-trial-handle=1968,i,8663806780033039368,1445414516934675112,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3124 --field-trial-handle=1968,i,8663806780033039368,1445414516934675112,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3156 --field-trial-handle=1968,i,8663806780033039368,1445414516934675112,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4352 --field-trial-handle=1968,i,8663806780033039368,1445414516934675112,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4384 --field-trial-handle=1968,i,8663806780033039368,1445414516934675112,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4628 --field-trial-handle=1968,i,8663806780033039368,1445414516934675112,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4840 --field-trial-handle=1968,i,8663806780033039368,1445414516934675112,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4820 --field-trial-handle=1968,i,8663806780033039368,1445414516934675112,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4576 --field-trial-handle=1968,i,8663806780033039368,1445414516934675112,131072 /prefetch:8

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc6ab4ab58,0x7ffc6ab4ab68,0x7ffc6ab4ab78

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1760 --field-trial-handle=1980,i,12565394943065861320,18155839964988515705,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1980,i,12565394943065861320,18155839964988515705,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2320 --field-trial-handle=1980,i,12565394943065861320,18155839964988515705,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3112 --field-trial-handle=1980,i,12565394943065861320,18155839964988515705,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3120 --field-trial-handle=1980,i,12565394943065861320,18155839964988515705,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4436 --field-trial-handle=1980,i,12565394943065861320,18155839964988515705,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4500 --field-trial-handle=1980,i,12565394943065861320,18155839964988515705,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4644 --field-trial-handle=1980,i,12565394943065861320,18155839964988515705,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4756 --field-trial-handle=1980,i,12565394943065861320,18155839964988515705,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4444 --field-trial-handle=1980,i,12565394943065861320,18155839964988515705,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4768 --field-trial-handle=1980,i,12565394943065861320,18155839964988515705,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4956 --field-trial-handle=1980,i,12565394943065861320,18155839964988515705,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4744 --field-trial-handle=1980,i,12565394943065861320,18155839964988515705,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3528 --field-trial-handle=1980,i,12565394943065861320,18155839964988515705,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4672 --field-trial-handle=1980,i,12565394943065861320,18155839964988515705,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=2256 --field-trial-handle=1980,i,12565394943065861320,18155839964988515705,131072 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 www.microsoft.com udp
BE 23.55.97.181:443 www.microsoft.com tcp
RU 80.66.81.137:80 80.66.81.137 tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 181.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 137.81.66.80.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:80 github.com tcp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 www.microsoft.com udp
BE 23.55.97.181:443 www.microsoft.com tcp
RU 80.66.81.138:80 80.66.81.138 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 138.81.66.80.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
GB 20.26.156.215:80 github.com tcp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com udp
US 8.8.8.8:53 42.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 195.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 195.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.179.238:443 play.google.com udp
GB 142.250.179.238:443 play.google.com tcp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.187.238:443 clients2.google.com udp
GB 142.250.187.238:443 clients2.google.com tcp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
RU 147.45.47.64:11837 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 64.47.45.147.in-addr.arpa udp
GB 142.250.187.196:443 www.google.com udp
GB 142.250.179.238:443 play.google.com udp
GB 142.250.179.238:443 play.google.com tcp
GB 142.250.187.238:443 clients2.google.com udp
GB 142.250.187.238:443 clients2.google.com tcp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 45.146.23.2.in-addr.arpa udp
US 8.8.8.8:53 consent.google.com udp
GB 142.250.187.238:443 consent.google.com tcp
US 8.8.8.8:53 apis.google.com udp
GB 142.250.200.14:443 apis.google.com udp
US 8.8.8.8:53 img.youtube.com udp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 98.201.58.216.in-addr.arpa udp
GB 142.250.179.238:443 img.youtube.com udp
US 8.8.8.8:53 ludiquemendo.fun udp
FR 195.35.49.171:443 ludiquemendo.fun tcp
FR 195.35.49.171:443 ludiquemendo.fun udp
US 8.8.8.8:53 robflashy.com udp
LT 84.32.84.32:443 robflashy.com tcp
LT 84.32.84.32:443 robflashy.com tcp
US 8.8.8.8:53 content-autofill.googleapis.com udp
GB 172.217.169.74:443 content-autofill.googleapis.com tcp
US 8.8.8.8:53 171.49.35.195.in-addr.arpa udp
US 8.8.8.8:53 32.84.32.84.in-addr.arpa udp
US 8.8.8.8:53 74.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp

Files

memory/1248-62-0x000000007F110000-0x000000007F120000-memory.dmp

memory/1248-63-0x000000007F110000-0x000000007F120000-memory.dmp

memory/1248-61-0x000000007F110000-0x000000007F120000-memory.dmp

memory/1248-86-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

memory/1248-85-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

memory/1248-84-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

memory/1248-83-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

memory/1248-60-0x000000007F110000-0x000000007F120000-memory.dmp

memory/1248-59-0x000000007F110000-0x000000007F120000-memory.dmp

memory/1248-58-0x000000007F110000-0x000000007F120000-memory.dmp

memory/1248-57-0x000000007F110000-0x000000007F120000-memory.dmp

memory/1248-56-0x000000007F110000-0x000000007F120000-memory.dmp

memory/1248-55-0x000000007F110000-0x000000007F120000-memory.dmp

memory/1248-54-0x000000007F110000-0x000000007F120000-memory.dmp

memory/1248-53-0x000000007F110000-0x000000007F120000-memory.dmp

memory/1248-52-0x000000007F110000-0x000000007F120000-memory.dmp

memory/1248-51-0x000000007F110000-0x000000007F120000-memory.dmp

memory/1248-50-0x000000007F110000-0x000000007F120000-memory.dmp

memory/1248-49-0x000000007F110000-0x000000007F120000-memory.dmp

memory/1248-47-0x000000007F110000-0x000000007F120000-memory.dmp

memory/1248-45-0x000000007F110000-0x000000007F120000-memory.dmp

memory/1248-44-0x000000007F110000-0x000000007F120000-memory.dmp

memory/1248-43-0x000000007F110000-0x000000007F120000-memory.dmp

memory/1248-42-0x000000007F110000-0x000000007F120000-memory.dmp

memory/1248-41-0x000000007F110000-0x000000007F120000-memory.dmp

memory/1248-40-0x000000007F110000-0x000000007F120000-memory.dmp

memory/1248-33-0x000000007F110000-0x000000007F120000-memory.dmp

memory/1248-32-0x000000007F110000-0x000000007F120000-memory.dmp

memory/1248-31-0x000000007F110000-0x000000007F120000-memory.dmp

memory/1248-30-0x000000007F110000-0x000000007F120000-memory.dmp

memory/1248-29-0x000000007F110000-0x000000007F120000-memory.dmp

memory/1248-28-0x000000007F110000-0x000000007F120000-memory.dmp

memory/1248-27-0x000000007F110000-0x000000007F120000-memory.dmp

memory/1248-26-0x000000007F110000-0x000000007F120000-memory.dmp

memory/1248-25-0x000000007F110000-0x000000007F120000-memory.dmp

memory/1248-23-0x000000007F110000-0x000000007F120000-memory.dmp

memory/1248-20-0x000000007F110000-0x000000007F120000-memory.dmp

memory/1248-19-0x000000007F110000-0x000000007F120000-memory.dmp

memory/1248-18-0x000000007F110000-0x000000007F120000-memory.dmp

memory/1248-17-0x000000007F110000-0x000000007F120000-memory.dmp

memory/1248-16-0x000000007F110000-0x000000007F120000-memory.dmp

memory/1248-15-0x000000007F110000-0x000000007F120000-memory.dmp

memory/1248-13-0x000000007F110000-0x000000007F120000-memory.dmp

memory/1248-11-0x000000007F110000-0x000000007F120000-memory.dmp

memory/1248-10-0x000000007F110000-0x000000007F120000-memory.dmp

memory/1248-9-0x000000007F110000-0x000000007F120000-memory.dmp

memory/1248-8-0x000000007F110000-0x000000007F120000-memory.dmp

memory/1248-6-0x000000007F110000-0x000000007F120000-memory.dmp

memory/1248-5-0x000000007F110000-0x000000007F120000-memory.dmp

memory/1248-4-0x000000007F110000-0x000000007F120000-memory.dmp

memory/1248-3-0x000000007F110000-0x000000007F120000-memory.dmp

memory/1248-1-0x000000007F110000-0x000000007F120000-memory.dmp

memory/1248-48-0x000000007F110000-0x000000007F120000-memory.dmp

memory/1248-46-0x000000007F110000-0x000000007F120000-memory.dmp

memory/1248-39-0x000000007F110000-0x000000007F120000-memory.dmp

memory/1248-38-0x000000007F110000-0x000000007F120000-memory.dmp

memory/1248-36-0x000000007F110000-0x000000007F120000-memory.dmp

memory/1248-37-0x000000007F110000-0x000000007F120000-memory.dmp

memory/1248-34-0x000000007F110000-0x000000007F120000-memory.dmp

memory/1248-35-0x000000007F110000-0x000000007F120000-memory.dmp

memory/1248-24-0x000000007F110000-0x000000007F120000-memory.dmp

memory/1248-22-0x000000007F110000-0x000000007F120000-memory.dmp

memory/1248-21-0x000000007F110000-0x000000007F120000-memory.dmp

memory/1248-14-0x000000007F110000-0x000000007F120000-memory.dmp

memory/1248-12-0x000000007F110000-0x000000007F120000-memory.dmp

memory/1248-7-0x000000007F110000-0x000000007F120000-memory.dmp

memory/1248-2-0x000000007F110000-0x000000007F120000-memory.dmp

memory/1248-0-0x000000007F110000-0x000000007F120000-memory.dmp

memory/2372-178-0x00000000731DE000-0x00000000731DF000-memory.dmp

memory/2372-179-0x0000000002AE0000-0x0000000002B16000-memory.dmp

memory/2372-180-0x0000000005200000-0x0000000005828000-memory.dmp

memory/2372-181-0x00000000731D0000-0x0000000073980000-memory.dmp

memory/1248-182-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

memory/2372-187-0x00000000731D0000-0x0000000073980000-memory.dmp

memory/2372-189-0x00000000059A0000-0x0000000005A06000-memory.dmp

memory/2372-190-0x0000000005A10000-0x0000000005A76000-memory.dmp

memory/2372-188-0x00000000051C0000-0x00000000051E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zra35ntf.jkb.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2372-200-0x0000000005A80000-0x0000000005DD4000-memory.dmp

memory/2372-201-0x0000000006070000-0x000000000608E000-memory.dmp

memory/2372-202-0x0000000006180000-0x00000000061CC000-memory.dmp

memory/2372-205-0x000000006FAD0000-0x000000006FB1C000-memory.dmp

memory/2372-204-0x0000000007200000-0x0000000007232000-memory.dmp

memory/2372-216-0x00000000731D0000-0x0000000073980000-memory.dmp

memory/2372-218-0x00000000731D0000-0x0000000073980000-memory.dmp

memory/2372-219-0x00000000731D0000-0x0000000073980000-memory.dmp

memory/2372-217-0x0000000007270000-0x0000000007313000-memory.dmp

memory/2372-215-0x0000000007240000-0x000000000725E000-memory.dmp

memory/2372-221-0x00000000073B0000-0x00000000073CA000-memory.dmp

memory/2372-220-0x0000000007A00000-0x000000000807A000-memory.dmp

memory/2372-222-0x0000000007430000-0x000000000743A000-memory.dmp

memory/2372-223-0x0000000007620000-0x00000000076B6000-memory.dmp

memory/2372-224-0x00000000075B0000-0x00000000075C1000-memory.dmp

memory/2372-226-0x00000000731D0000-0x0000000073980000-memory.dmp

memory/2372-229-0x00000000731D0000-0x0000000073980000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3YK18YAR\json[1].json

MD5 bd0c2d8e6b0fe0de4a3869c02ee43a85
SHA1 21d8cca90ea489f88c2953156e6c3dec6945388b
SHA256 3a3e433f615f99529721ee766ad453b75d73fe213cb1ab74ccbb4c0e32dcd533
SHA512 496b1285f1e78d50dd79b05fa2cbf4a0b655bb3e4515646be3a7c7cdf85d7db6ab35577aa1e294f3d515d707ca341652b5ae9d4b22197e4480226ef8440294b6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

MD5 7796d81eaaaa0a588ab7d590d98bfeec
SHA1 8b56c9598a621bf554b0f9d1d5185dd7962ee7dd
SHA256 9b658580099364ef18cf2dfd8afa23bca333eac7be0d87771451cd9c7d665708
SHA512 7768e8d3b171eb8d2acedef57df1d34ba452c2dce06fe15ab20721ba83c3fbe77f240af2b8f5b7f4ec43afe9d2f56b79af89fec39f499dc1bc6d136db22cca2d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

MD5 a1ea63317f798b4a8794feed068eb885
SHA1 89145042b32e863139c8d3b67763d1aaeb84628f
SHA256 4cb414ada8d6af38feb16ac9db9da6a1480992aa217560134e02a72fb53a5b0f
SHA512 bf7b88fc2c725e62dfa3ee08ff5d246f17fb4397bd745a99546b8083586a8aea334a431275de65c454b8c46b6ab90b9e0053d30b616cba28ccf7593697ff21dd

C:\Users\Admin\Pictures\468F6343C0E64931970330C6539573CB

MD5 0685f628f7b26462640a2d8647a9db08
SHA1 dfd04f884ca8ef1074a28153d0d9754462693a2d
SHA256 4d2490dfccac8fff703222d3d3b82d3c390b4b9458c3e3e305dc4a29389b5e39
SHA512 7fe7549f120349ccaf39719595d1bd338882b8191f85f5f4d3f6a2e7688b1e442db2eda6db2fc8ac5b09a2e7574fbfd2bdaf72946e587fce2de610bcaaf723ec

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25

MD5 2a9067843ff51dad6d9d24dbd6c2b824
SHA1 b14a0b7669e95ff753d90a8b46e592e85d9c9f9e
SHA256 11801ae78eeeafe6b66404b29257cb6be1e570e344a51abd16707bebd0009c51
SHA512 e4b0bb28bc24b99817cce1a1e9622a0721d52134e649e4f97ac12ae2b3086b8880d19745ca5f0d3116c7e0b9388ca0d3a55e905c80c38442ecc3e645bc620355

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25

MD5 72d4880bc5c5e75d2c69ea85932f6015
SHA1 ac33593f45a034fef778aa22b0b93dd29a6c7366
SHA256 7e576ce866607f8e6802355e09db9431853bd6568fc239ff4e3308b4edc06b6d
SHA512 ba0976e2b8652d3dc71558e669ab450b793c49a61aa01a1b0b4dfe9a6c8bf0ab065548a314bad955104be5d5ef6948d959569433c40c69b01dd8b3ac09fa36e9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D0E1C4B6144E7ECAB3F020E4A19EFC29_B5F77004C894173A10E3A199871D2D90

MD5 6f78c82189354eefda54e26116fa17e0
SHA1 2033b822b309c8aac2898766d3201db89885d703
SHA256 50788f1b1b8eaa6ba6d5f2d206573128e10a403290b907969f892d4dd0f47edc
SHA512 7a5cd6871a6c84c02e148ca44cc1f56048b195bc0d8b5578aff2e01744338b65eae36530fd97346432d9ada97dbbcf655a3d598630753d007f10527abd47e5a3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D0E1C4B6144E7ECAB3F020E4A19EFC29_B5F77004C894173A10E3A199871D2D90

MD5 3685212df369729af79c622659dd3c17
SHA1 99a03d5b01ee5771ec89cde6e6e4315b9d5adfd9
SHA256 128e47dbcc5e2b27365a3c0895a51bfe141cb8268a8e47b49e4e8108a785a3e3
SHA512 1df14893d51e0f423ada168819129ce2fac895fb5fefa5b9979593771adf5f84e9e863f16c9cbc853f444d56abcb04ddfd59bb826026755275d91d986bedad6d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A66A8DB907BADC9D16AD67B2FBFFDD5C

MD5 2db5345850c203829dc2d4c66b441ac6
SHA1 25e5cbaffdfe0456301188b304106baea4750535
SHA256 2716710828b2390a73099b978e2ca941a8bce3fdc275fa58d511be7177e150ca
SHA512 c36e197ca81a2d9786d822d1058e1817600e82763c2027213ea67abbc0eb1257d48893163550cb6d46205e282c101efdfee9388d1457e30e78dee34e5b1e0ac5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A66A8DB907BADC9D16AD67B2FBFFDD5C

MD5 f63b161e8bf60bb22b8e7f22c93308a0
SHA1 b43018c82880625aed74ea2f4b19eee51bfdeb9a
SHA256 0951f9bdba6ffd5f4924816dff9ffd0074a68cde8bfb7c5ec06aa515d6c64f82
SHA512 a04dc28e1243b79b2bf2c9d5cb6c92d82dc44e1ff7750047ff77470a2ef0e7ce9698004f90a10559c255e098d64f00759a924fa75b677ad6f2e54744b15525a6

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3YK18YAR\packet[1].log

MD5 0ffd3bd05a9281981db2330e5a7291c1
SHA1 fabbfea6c072f68692b81571d38e8eab72de1362
SHA256 286dca4423a65cbd5d23e9bf002e584ec16a88c0a5edf4cfdc6b639d982593ad
SHA512 54ff1df237207e4fe70808583b96a07d0366887ed7e3389527eaadb6c3e045c19c4ba1621a47e24fa661f52b504274b46af91acd1b562bc15b1e51518846c333

\??\pipe\crashpad_3472_XYURXXCJBEUGLALV

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 8593d9a1303078a513df2dc2fe7a9673
SHA1 ef087d92df3f03235fd76b089a6f0c76652fee2b
SHA256 6e8a20519d9fb6eda687d5ceadb84e2da0706d7718dc90392c1f016303bdc8eb
SHA512 a81a971790f376b87d9ad0856d3c1130089b67104d78ba426b395018d4d8e2104fe6b7dc924aed9d70d201b5cfbc7995ef9aa0d9053638e57a897072c66bb616

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

memory/4560-461-0x0000000000400000-0x000000000044A000-memory.dmp

memory/4560-462-0x00000000058E0000-0x0000000005E84000-memory.dmp

memory/4560-463-0x0000000005250000-0x00000000052E2000-memory.dmp

memory/4560-464-0x0000000005300000-0x000000000530A000-memory.dmp

memory/4560-465-0x00000000068B0000-0x0000000006EC8000-memory.dmp

memory/4560-466-0x00000000063F0000-0x00000000064FA000-memory.dmp

memory/4560-467-0x0000000006320000-0x0000000006332000-memory.dmp

memory/4560-468-0x0000000006380000-0x00000000063BC000-memory.dmp

memory/4560-469-0x0000000006500000-0x000000000654C000-memory.dmp

memory/4560-470-0x0000000006F50000-0x0000000006FC6000-memory.dmp

memory/4560-471-0x0000000006EF0000-0x0000000006F0E000-memory.dmp

memory/4560-473-0x0000000008660000-0x0000000008822000-memory.dmp

memory/4560-474-0x0000000008D60000-0x000000000928C000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma

MD5 c806c4473f82ec409d0d01281513adc3
SHA1 a2a0d2dea8fb5429c8eb339d7504936db8b7ed95
SHA256 92cd61a571d3eb9dbff4319c293faf68a9a0960bd7efac19cd413df10d0b325a
SHA512 febbaad04eaa215c13f624905fa79c93f04057432895a67e93a41343fcbd02da3424713c62b068429d75a6833981c54f1dfa2df81d9d5ec891ab40fdd5bb2895

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

MD5 89f55681cd116518c116754e0407b2c8
SHA1 f5d4aeb85e94ba181091d6a1ebca93915919c9c6
SHA256 f36101d056932eba1217b54d3ee1c54e0c6c4120087bf1e1e0781625d2be6fc9
SHA512 8db0dc249a77703508e63c8314af4bddcf54ac4f887b26409f743b344b94f9afe762d266cbac8b8097ffb28870d40841c7f64ed60acd087dbc1768db15b1c0cf

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

MD5 f732dbed9289177d15e236d0f8f2ddd3
SHA1 53f822af51b014bc3d4b575865d9c3ef0e4debde
SHA256 2741df9ee9e9d9883397078f94480e9bc1d9c76996eec5cfe4e77929337cbe93
SHA512 b64e5021f32e26c752fcba15a139815894309b25644e74ceca46a9aa97070bca3b77ded569a9bfd694193d035ba75b61a8d6262c8e6d5c4d76b452b38f5150a4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

MD5 009b9a2ee7afbf6dd0b9617fc8f8ecba
SHA1 c97ed0652e731fc412e3b7bdfca2994b7cc206a7
SHA256 de607a2c68f52e15a104ead9ecbaa3e6862fdb11eac080e408ba4d69f1f7a915
SHA512 6161dd952ae140a8fb8aa5e33f06bc65fdc15ce3fbfe4c576dc2668c86bce4a1d5c1112caee014e5efa3698547faad3bc80ec253eedb43148e36e1a02ce89910

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 7d06c2a44290f0b36023e83aff5e4246
SHA1 5105ca8e354d43f3c49f4aed9462852f8af5df3d
SHA256 94342b94b25dd3b8205edfb1fd6c73228b537e81e0479bd311dcd9297485b3ac
SHA512 f515ff6849fb65f3ecc0e33d66aa18f81cdd9b3dc4c97f27c2b08cb821a63207bc5b701f2a29c873d2d43f0f441ca4227080dffa323daf76139ba4053882a6f2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG

MD5 eb0ffb6a4b7e59b5a586f6bd0a0f7f00
SHA1 1718d50b18a969f1810d69a85dd5ad10645fe13c
SHA256 6529ff4c3d41ff64d33dde337e8a340f7be8fe60925243d6b0306416603974e8
SHA512 374a8f349e05a5c832d4a3722cdba32e1bdb4c2278137ec9d2545a086fb6293943f2f06abd042a8cc10f1dd023e1a1b687e47a24905a1f1bb7db48e932d98d5a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006

MD5 7626aade5004330bfb65f1e1f790df0c
SHA1 97dca3e04f19cfe55b010c13f10a81ffe8b8374b
SHA256 cdeaef4fa58a99edcdd3c26ced28e6d512704d3a326a03a61d072d3a287fd60e
SHA512 f7b1b34430546788a7451e723a78186c4738b3906cb2bca2a6ae94b1a70f9f863b2bfa7947cc897dfb88b6a3fe98030aa58101f5f656812ff10837e7585e3f74

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

MD5 ee19dec250e4ed1da71aef33aa5b43fc
SHA1 a87fc08f1df65b5374bb691394235b77a4a1e620
SHA256 e928a377ed481440a60b003a0986986d78cf2f185b42f82b546ea70d5015b6c0
SHA512 a2acb8f4061fb072c4d909bb7a465a7e0cfdade9f0e8f1cf0c263d2af2ec63d1dab2d8ae304f646e5237cc0ac4dbf7275bf67d901df43fdede0d425559c6c8c9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_0

MD5 93c25d5422acbd4c200edecc09931acb
SHA1 45806ac9526ffbbdee2e0ad4c0624b72942601f3
SHA256 4bf4b49ad579987a4caaa5509131da8f3941a90dec9868606dd7ef9925008a7e
SHA512 792c30291b177dae6cfa2097bbd0e6af0352baf2f730fd04ba22c445b5bc043cf8a55ca6d7701aaf3d76e6d927a16345b5ece41acd3dbe6f184c2bc0eb6b2719

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_3

MD5 a561d71c0a281ad05f0c0bc6d5c82483
SHA1 fa4921ea779051f1ad2606baab39c4eed9da395e
SHA256 16a5c569861545d049e3d6a73d2dc236ebe50859b5555ee0d29990214f255dbd
SHA512 41a5e88d7e37e9025aeb19591700b23a7012543c3f5a9d6c7ccec8c4a3803bd04cb6030e0d9af37a628dc2ab50e1797193b840d17816aa39aa3a3b5400d75945

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\000003.log

MD5 046cc08d163fc4578cd1b77a5d0965ac
SHA1 92f503e605c30974baf385f1619f1269b81dec57
SHA256 693a60684aa9ff4f01cb6027e9c938f4701c0c898afc224a0776cb1e18e87166
SHA512 e8b1df36a237bcbbad897146ca247edf75466b2a4030fec620c46932b5c31137f2931cd2758534e4308aed3fb9cc40edf2d7646a38530bcc5e6d7069c19a3b1f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG

MD5 81a137b46cba2b5a814524fe4a291ebf
SHA1 18d95af5dfd59b667b40fd23c63453831359512e
SHA256 8f08807b100d432d53fb1064abe5db6984c91308e15833f14b697f8d11539ece
SHA512 45343fa7ce87ea219a350b6ef0b4d75bb3d504be72a1d3be06f45fb73d2dda57bb8f8afd510da67d91d415d0e488850c961d86bc31c5dca16fcf3d738c7414ab

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG

MD5 4d556acbcbbc0ed3564929e0ae9fb4b6
SHA1 2b8556498df9b17fc2fe6607a77b2d931e1cc1fe
SHA256 4107444b048671be4cc752d35bbbbe2b4582deb3a6937583fc71d8991fcac360
SHA512 4eaa50584a25a1b4b92121425bd6f899003ee929c81fc5300d9d081242f159aeb765d0a8d092bbe8a69970686ef48e0fca51bc18d02283c29f70f5d29763996f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000003.log

MD5 566c0778516cf119ce2d66f9f308a145
SHA1 50a2bf3f9e9e04d93b97ec50202deaf79c0f7458
SHA256 93ca39d5bc43ad4e9cb02d52c8c773790832672003336324ea2520682411c6a1
SHA512 0c6ee86033d7952ff2dd313f433d0c4184d3c7198f829593ea5db8bd9e23806f01d709df03707f7069f2c4e20c08a8f505bfedc5222c24db14c46007a773a8a2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG

MD5 f81d9069c821672d8b7bb2ccd29ebd9f
SHA1 61bd2dbb3e34e362279d2d0bec95085f7fb83533
SHA256 05f78f00822c42274d46ccaf61516d37098858f0df7981285f3eb8642b549520
SHA512 8e242f79947f9f91da758329849ae5ab58373df6fded5f9ada218b5e3d50c3f3c8c012730aedd48870cf87265eddeb620c0f9aafcd738964402a205829ccec47

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1

MD5 be090f23b2d960aa16da71855e4799b2
SHA1 d9bb76e0c9c6f6238978adc1123f7f1733725c06
SHA256 4706c1fb8c81434d7cf300691c6304cd594c24995319bdd270181d4617dc7329
SHA512 492750fb544093d1dfca024495bdf22c03c22270933dff7b4b8f9cd5c6ded9655ce1d2acbccc6fb40af1c2e2ea2d40df0513cd8b46b8b6b57d9384ff870fa72f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000003.log

MD5 b4b5b42f50925cba095141c625a36cb2
SHA1 5b3ccb867eaca6e8f75c08d375672e24569c52e0
SHA256 756c83c2ec390a1e99dd76093cbbe1349975196216a30b97e37acf6383f5b9cc
SHA512 68080a044c2ee95385cd898d7861f248023b2d463d81b3793d66a43fa2f147bf8bcf104b61f8898db899dd1e3d040419bdcb0fb95f3631807f98119aad4a35e2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\LOG

MD5 1b2a095218c3eeedfb2b8b722346b43f
SHA1 b2716ba89cea3ac46fe27b1b6ad4365ced152cdb
SHA256 7f3a7923ca967f5b97bf656589512435cab44e8e016bdfe82a6158a356504c3f
SHA512 5ec8962831b83bad1326a2afec2d9876d8e5300082c9c26fe1e98dfe654202962e405a4491f1bb97c8ce2f89f8584259fbc6ff9dc78dbffe04a6a2a333526a7d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG

MD5 e242a2001cac7871c64f191881f47759
SHA1 9f461e78ab085d6ee8613727b7b788a944e738a3
SHA256 2f35d2b09d1c80c74ddda6493c5a7e78bc24feb406be8f999457bb181179072c
SHA512 c506e51cc86336d5643c60509b034cd73f02683dbfa42119f2a28b064cce24f370beddd18a28ca89749c064809a388916a698110566384d37a02332c1828ca2e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_3

MD5 c32632951f3fbec3e9e2f0a0c316895a
SHA1 d5aa32405d2a820f0569228334adceac73b49866
SHA256 c8682aa7e461f4031f1e5b13ce8b4429a69508cde21725ccd760634a3abc5cc9
SHA512 a901a46690377c32e7e052ae1468d0e048d732b79458822610e845f503e7ad91b56d26f11b73b8ecefaa2aff6f8cb3a7bf29243df82b82db971cf13be0144635

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_1

MD5 030c0a184cd78a58ecfe2d7dc97a5c5b
SHA1 3c9af2a8dcba1bc278cac8f7cf70329129af56b1
SHA256 9a4ea642e61f0febf9b61234ffdd9f28a171176b440cbb3dbd85e9ff3674a1df
SHA512 962475c3bf816756ee44b16e49cc54a698b5692c00274f60cb6cee0ca3c096489eca04d83fd3aca10e566f579ea82af7a2186fdfb5ecae51724e280d68afb536

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_0

MD5 8d56f07acc9c7cd9e43f356ed6b9de79
SHA1 4e15c39cfa81f8c433bab76b7fb1c712387e70df
SHA256 6041dd9074db79c600cdda2cf0388328e911ecb2a899a2d12c0b3ad63e594583
SHA512 105d691cb3e5719ce2b990dd399454f3fa57b5654f38901823f508cbe789de740a916dfa2280f667413c9489aaa00ee025f8207021ddd60c61c7fc3ffe9a4cfb

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000003.log

MD5 208eb10d7ad5cba04c16b83a57a7fdd2
SHA1 9ef87025b8a6c5a782f95886524a59ef641fc77e
SHA256 cd0f944e4cae0b03d4029182e95dd95ed06a3a721ef900b27ac558374737bfa7
SHA512 77f20bcbf59c9cfff2fd1e105b3c88221f29636bbc7e810a0df1ec810617093f7e0504017c0056f9fdb601e123ca27b95a83cbc55792f38ae64bc22a5269f489

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG

MD5 50fe96833b72aa53aaf8e7f7ed7519e2
SHA1 dde45af2598c2a19af0d747754b4afdee68b5145
SHA256 4427d2328869a6a1dd56e7c46fbf491a66946dbb94cb773fa8d2fbf47afa35aa
SHA512 c6338fa25a75d219e0f9501b5b1a381b10f858a4a88a6509d0ff5306d3cc15b8cb94d5be3ac0c1c5de6e85f8d51e8733845de66a0ba6b62542cab50796594d1d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sessions\Session_13360803304702310

MD5 e37fe3581681e54a87d2de0f91cb8e0e
SHA1 6391506d8000c05fa85307f731012bd1fc7fd939
SHA256 22d53d88c5a3e60541fd6c06cee71d947fb9271d40421cee64720ff71c3b976c
SHA512 19844183f8d35abf4db783371fa870f0de471f96ee1979da0e295e34168fa1c2267f5f04ef3a45c49b957455fa33c71818a47a90633d4e101c11b0d069766f1c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Browser

MD5 de9ef0c5bcc012a3a1131988dee272d8
SHA1 fa9ccbdc969ac9e1474fce773234b28d50951cd8
SHA256 3615498fbef408a96bf30e01c318dac2d5451b054998119080e7faac5995f590
SHA512 cea946ebeadfe6be65e33edff6c68953a84ec2e2410884e12f406cac1e6c8a0793180433a7ef7ce097b24ea78a1fdbb4e3b3d9cdf1a827ab6ff5605da3691724

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\LOG

MD5 bad16174263f78802a093a37bdb0c015
SHA1 7f825b67f0e2b6d60b9fcbb7b545b480047fc974
SHA256 276fd74396131c36b77327749f5492cfec804f00041703404df82106f444542e
SHA512 5a8272ba7168145101b6d2e1608880be392f04b7611674dd4dba7e7ff15c68c06cf0171ed3bf4b61897eecc26e0714efcc2430bf27c2d7cf038f9c7b3126f871

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 71ebd715c1b24c23c96ab871ae4e7166
SHA1 bc342dbe30399b5e0c2f2248266ba26f918a14a7
SHA256 c1993a483ffc5eb24254f68ac49a4261c9763b2f8e6ddcf53e734594c98fe475
SHA512 5295c7052cf6e6dc1203479c8376dc661c0d607ace7518e0f04f4fb1feea39058116a4e3c6f197b47e7457c0bff63c9f4326d5b18b03a6be013f451dec0949a0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 83c65e927fb7800ff877a2f76568b394
SHA1 62f75a359013e8e16b36e1281d008ef8c024ed2f
SHA256 737accdef24e3b2c3421f5a0a259071dafe496b4eb283eae84ca9ffe730bb28d
SHA512 12e23125b6ee8ae6006646776961c2f01af42825b0b1beb72a1a45ba182f79ed0e6f1fc85b953d232c14cbbed666820026b563e9b6e67de799e00899a61ba9a6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 0a32fe1942aa41da1b08260df5d61ff5
SHA1 d509a7b6b3359fe5a250fdc0efa8671c669d155e
SHA256 506c11c299a8cc5b029c32b2758632bcbace10ce30fe99c5b617c540ad6c25a1
SHA512 3e1c15d48cb586136827a1cbe1034ffc5365c3cbe1311d5ee0deebac9910cb555c228898ade4eda1db17e9f0d2e62acbdfd4fdfcdc300144179f636b75a84469

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 1a4a994956030405e4e6d7ab28ed013a
SHA1 bf20e7bc8e5dda622af00feeea62cfb6a9375df4
SHA256 cabd9b58f51ed9d586d828d7a9eaa73ffcf13164c3c16057b8d04faf358e78d4
SHA512 d4820406fa0acaa164f2395328190a9d80647e967decb8c46c0cb1d38080247ace1695889776f6fc8ba98bdf549a7ad54bc5810b87ce89337f55b5222d1bccb0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 5eb1bf4b19d9109cb0b4a9d0351df629
SHA1 b7630055bef09fedce03d1d594fcadea95eeefee
SHA256 f9a6251eee3ac17c15e0f8ff3a181e279131548f6651323cac1309c7819c98e3
SHA512 1bb8ee6f9d080b870803edc3955cacc4667a508a84f6161edd5001bcd56104678561063f5b9fd04bf20094613eb08d31733345e48bd24be88e305a990ff78379

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 629248ec8df068c6d85de4178de7a41a
SHA1 fff00579b40923a31c1da4fb22a0f91107128cc4
SHA256 12c53621c733a7bae9aadaf974e0c0dfddd5d0c9af489153058077571f3db9d6
SHA512 f20880e0b111310ba68a8e5c3d72adbf728f20e1c287a4537ce9d3cfcf30c6040bb7803185eca91046647960908792de174a0d2a7544b5381fc7a56191b2ccbf

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 3624e7c197806f783296de7a4617f716
SHA1 78dc26f668b3a9a3b6558db385597e3737b02ad0
SHA256 ec9a09a3af936333497cfe2d0a98f29b539795b06d801f1bfffe2cd46d88b1c2
SHA512 78558a90fde5e07fa453caf7743521678ce92b642d961b54307edef980da6e9bda40be62598986aef4098b29ad27fb25271cdbdb6f4a54e07a160ebae36b1b38

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

MD5 81a1d4bdb641881e48c3c0a3455f1772
SHA1 95194f51bbe29dd302751dd7e896837b6d1e9fe6
SHA256 b3fcf44360253f50d62ecc553ad83844151d6b731ebebe82d1aaadd98b56b8c5
SHA512 70c76268ecfeea7d46815e6d1c94acd104e5e781d6875a4f998989b66738502f05a4d2eb99bce02f1c36b9aa47f6026357a0077450f3897e29cbde21464f38e3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe59674b.TMP

MD5 2d0ba3646ce1674071715bd1f3455da1
SHA1 0065bda3ba2b49dcf5cd48a7a6e9b712c2376966
SHA256 b08a871d0a931ef0a5bbd110cccbe1728b3f18bdb74deff33df32771dacc7eba
SHA512 ea201b1dccc21295d455374a4b4427f0bfb94f50685ce764ba38130f431ebcf5fd8461ebb53bc6d338140d480970a3c70ec654026bd01e594eecbafaf2450683

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 57e1895ccd7c3648418bc1c61302b29d
SHA1 6351af470495c0dbeb865231aaa62ff943f212fc
SHA256 e7f161ec8ebdd126fd0b86cec06aa3e86f0fad0726b9d41117745391c30b87c9
SHA512 611161f2db2e678cdbb0e87d8797d6036ae42bcfe092470c8875dbd4e894915413fae131ff7833f93e1817e58100b901d46fe8d6d04661f4e5e73b813dcb92a0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 958cda395489bc42d1c9d333a07d8bb8
SHA1 22f5d545c209282860e4610f2cb28fe13d949427
SHA256 d896ff56c2c12f058fce8bd100d4d5de7a8ee331b9ac8b9a8d6638640b8d749f
SHA512 17758d8bda59780a13915750877b7457aa10780943aac06663e2b2afdf0783593145fa3745d0bf7e617a0fd57ec7fb4b7aeadd57ec6304892d6c44d0143b5acf

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 383bc93c8f67b5073b10afe9a214592e
SHA1 20776a03f7ba32c09703e312d6b393e894235aa2
SHA256 d6e33a17a97a32680c538b72f8bc70d044bbde859255031c28c333bcc9f12b8a
SHA512 6c043716bc85f70aa4de54a29c8ddc21435147d795d929e3ba07651129d4b3ec48fd0909516ac811af93cc5e87dc2b50aafc656b42f32e3cff0bfcdcba095f5e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 acbbb58fcdedd2f18dff2c30692ec07d
SHA1 2b16ec6db2693bdeba0f32e30236413bd29191a9
SHA256 8c7f2662844438a2664f3978940e3e0d5961c3452736029438f6627798357131
SHA512 062c20e4a0f2ee73d3385c18d7980a47c10b66d3448edc8f34a6a77e023bda37a601b422ff4c81a10ec365df49e73c7971e3a2f9096670f9efeecf5458ae2ff3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 4208adc1286ad96a330b0d7ee1a5a4e9
SHA1 a41227f18d41c90e7b9b3b23d3f346e3ce9522fb
SHA256 353668160d0fdfaf4ed54404a840f726370979cc0858d2920a4d874d0b2ee1e0
SHA512 e11faa6024c5406f0b876b832cf0b31d2d38813992c97776dee24a14d3ac2cb800b5a4744e6b547d249ab0f6f3c8ee2b9aef74a72c85e0f0010f30a5a5ec3ca8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

MD5 711b11d7a6fd52c38e6dfa03489fc7e8
SHA1 359d330efa96476d0277db2afc25a33bd0d7540e
SHA256 77fbed2c26263d051cc296a701196832cb1492480e15d48f678c297d511a3732
SHA512 7366659b871739ec3b481d20afb71a65555139c21edf397ca73c56f21f599f2790b34f747adfdcaa7365c9542fb81678f94b26b4398b739c372e4148d1d80b5b

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-21 22:12

Reported

2024-05-21 22:16

Platform

win7-20240419-en

Max time kernel

119s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\lua51.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\lua51.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\lua51.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 220

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-21 22:12

Reported

2024-05-21 22:16

Platform

win10v2004-20240508-en

Max time kernel

139s

Max time network

102s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\lua51.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4980 wrote to memory of 2932 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4980 wrote to memory of 2932 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4980 wrote to memory of 2932 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\lua51.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\lua51.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2932 -ip 2932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2932 -s 604

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 130.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-21 22:12

Reported

2024-05-21 22:16

Platform

win7-20231129-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\luajit.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\luajit.exe

"C:\Users\Admin\AppData\Local\Temp\luajit.exe"

Network

N/A

Files

N/A